Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 16:32
Static task
static1
Behavioral task
behavioral1
Sample
07c570dd70589229a0421d681977a743_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
07c570dd70589229a0421d681977a743_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
07c570dd70589229a0421d681977a743_JaffaCakes118.exe
-
Size
732KB
-
MD5
07c570dd70589229a0421d681977a743
-
SHA1
2aed17a0a83135117cf59278b5d46ba293c45380
-
SHA256
f0913c4ceef7752db1bdda7e70617512da8e6ab399f329c0c77eb01d1aa199b1
-
SHA512
0ceb158f1009d4b8e7ac022a7ad15c001abd2b73959ec513abc2851e32abd8fc5544e1b9564bcfeee7985bf078f23b9b36f61770122e78e1502798abebb17a48
-
SSDEEP
12288:JPdsCAmVw2f+LEXLjDk3aXDlkd3dTw6X6tF3Z4mxxJ4H8tcFA8WS:JPpVw2f+LEppwdU6X6tQmX+H8mH
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4512-53-0x0000000000400000-0x00000000004C0000-memory.dmp modiloader_stage2 behavioral2/memory/5072-56-0x0000000000400000-0x00000000004C0000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
Processes:
rejoice101.exerejoice101.exepid process 5040 rejoice101.exe 5072 rejoice101.exe -
Drops file in System32 directory 2 IoCs
Processes:
rejoice101.exedescription ioc process File created C:\Windows\SysWOW64\_rejoice101.exe rejoice101.exe File opened for modification C:\Windows\SysWOW64\_rejoice101.exe rejoice101.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
07c570dd70589229a0421d681977a743_JaffaCakes118.exerejoice101.exedescription pid process target process PID 2396 set thread context of 4512 2396 07c570dd70589229a0421d681977a743_JaffaCakes118.exe 07c570dd70589229a0421d681977a743_JaffaCakes118.exe PID 5040 set thread context of 5072 5040 rejoice101.exe rejoice101.exe -
Drops file in Program Files directory 3 IoCs
Processes:
07c570dd70589229a0421d681977a743_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe 07c570dd70589229a0421d681977a743_JaffaCakes118.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\DelSvel.bat 07c570dd70589229a0421d681977a743_JaffaCakes118.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe 07c570dd70589229a0421d681977a743_JaffaCakes118.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4240 5072 WerFault.exe rejoice101.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
07c570dd70589229a0421d681977a743_JaffaCakes118.exe07c570dd70589229a0421d681977a743_JaffaCakes118.exerejoice101.exerejoice101.exedescription pid process target process PID 2396 wrote to memory of 4512 2396 07c570dd70589229a0421d681977a743_JaffaCakes118.exe 07c570dd70589229a0421d681977a743_JaffaCakes118.exe PID 2396 wrote to memory of 4512 2396 07c570dd70589229a0421d681977a743_JaffaCakes118.exe 07c570dd70589229a0421d681977a743_JaffaCakes118.exe PID 2396 wrote to memory of 4512 2396 07c570dd70589229a0421d681977a743_JaffaCakes118.exe 07c570dd70589229a0421d681977a743_JaffaCakes118.exe PID 2396 wrote to memory of 4512 2396 07c570dd70589229a0421d681977a743_JaffaCakes118.exe 07c570dd70589229a0421d681977a743_JaffaCakes118.exe PID 2396 wrote to memory of 4512 2396 07c570dd70589229a0421d681977a743_JaffaCakes118.exe 07c570dd70589229a0421d681977a743_JaffaCakes118.exe PID 4512 wrote to memory of 5040 4512 07c570dd70589229a0421d681977a743_JaffaCakes118.exe rejoice101.exe PID 4512 wrote to memory of 5040 4512 07c570dd70589229a0421d681977a743_JaffaCakes118.exe rejoice101.exe PID 4512 wrote to memory of 5040 4512 07c570dd70589229a0421d681977a743_JaffaCakes118.exe rejoice101.exe PID 5040 wrote to memory of 5072 5040 rejoice101.exe rejoice101.exe PID 5040 wrote to memory of 5072 5040 rejoice101.exe rejoice101.exe PID 5040 wrote to memory of 5072 5040 rejoice101.exe rejoice101.exe PID 5040 wrote to memory of 5072 5040 rejoice101.exe rejoice101.exe PID 5040 wrote to memory of 5072 5040 rejoice101.exe rejoice101.exe PID 4512 wrote to memory of 2044 4512 07c570dd70589229a0421d681977a743_JaffaCakes118.exe cmd.exe PID 4512 wrote to memory of 2044 4512 07c570dd70589229a0421d681977a743_JaffaCakes118.exe cmd.exe PID 4512 wrote to memory of 2044 4512 07c570dd70589229a0421d681977a743_JaffaCakes118.exe cmd.exe PID 5072 wrote to memory of 5076 5072 rejoice101.exe calc.exe PID 5072 wrote to memory of 5076 5072 rejoice101.exe calc.exe PID 5072 wrote to memory of 5076 5072 rejoice101.exe calc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07c570dd70589229a0421d681977a743_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\07c570dd70589229a0421d681977a743_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\07c570dd70589229a0421d681977a743_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\07c570dd70589229a0421d681977a743_JaffaCakes118.exe2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"5⤵PID:5076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 6085⤵
- Program crash
PID:4240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\DelSvel.bat""3⤵PID:2044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5072 -ip 50721⤵PID:3860
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD50dcca9fd2a7303501e9a819f0969d91c
SHA15b71dd6267b8f905aeb2260a1b9c25683e4686bc
SHA2561d139972ca03486b6379293282ebeb3aa30b6087af9f3972974f55de367a4b77
SHA51281d847c0d215d6357eec4f6e27fe515b69c37070275aab2e4c46fe03965694bd5dc5f44728f5009046ff2a02b55869c2a8b5c795bd507825e0b160b651b883ee
-
Filesize
732KB
MD507c570dd70589229a0421d681977a743
SHA12aed17a0a83135117cf59278b5d46ba293c45380
SHA256f0913c4ceef7752db1bdda7e70617512da8e6ab399f329c0c77eb01d1aa199b1
SHA5120ceb158f1009d4b8e7ac022a7ad15c001abd2b73959ec513abc2851e32abd8fc5544e1b9564bcfeee7985bf078f23b9b36f61770122e78e1502798abebb17a48